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Importance of Understanding the Problem 


Will Ohmer and Orville Wright. Wright Patterson AFB. 



Inventor and great grandfather Will Ohmer used to say: 

"To invent something, identify and understand the problem.” 
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Limitations of Malware Detection 


Up against fundamental limits in Computer Science: 


• No computer algorithm can detect all malware. 1 


• NP hard problems (traveling salesman) help encrypt and hide 
the malware. 2 


1 Fred Cohen. Computer Viruses Theory and Experiments. Computers and 
Security. 6(1) 22-35, Feb. 1987. 

2 Eric Filiol. Malicious Cryptology and Mathematics. Cryptography and 
Security in Computing. Chapter 2. Intech, March 7, 2012. 
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Register Machine Vulnerability 

• After C, JAVA or Python program is compiled, a register 
machine is a computer that executes the compiled 
instructions. 

• Register machines execute one instruction at-a-time. 

• Register machine hardware uses branch instructions (jump). 

• A 1 or 2 bit flip in an instruction subverts the program. 

• One rogue branch instruction can jump to a malware routine. 

• In some cases, malware detection code won't execute. 
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Flipping 2 bits in a C program instruction 

int greater_than(int pi, int p2) 

{ return (pi > p2); } 

int less_than(int pi, int p2) 

{. return (pi < p2) ; }- 

int main(int argc, char* argv[]) 

-C 

int nums[4] = {6, 9, 7, 8}; 
display_numbers(nums, 4); 
printf("\n"); 

sort_pr(nums, 4, "less_than", less_than); 
sort_pr(nums, 4, "greater_than", greater_than); 
return 0; 

> 


~MacBook-Air:sort$ ./sort 
6 9 7 8 

6789 address of instruction less_than 
1101101001000000 

9876 address of instruction greater_than 
1101101000010000 
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Motivating Stable Computation 


• Typical programming languages (C, JAVA, Python) use 
conditional branching instructions. 


• 75% to 80% of control flow instructions in register machines 
are conditional branch instructions. 3 


• A register machine program’s purpose can be subverted 
because its behavior is not stable w.r.t. small changes. 


3 J. Hennessy and D. Patterson. Computer Architecture. 5th Edition, 
Morgan Kaufmann, 2012. Figure A.14 
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A Program is a Dynamical System 

• Dynamical systems has studied stability for over 80 years. 4 


• Use mathematical tools (metric spaces, structural stability, 
topological conjugacy, ...) from dynamical systems theory. 


• Small changes to a computer program can be measured as 
small changes to a dynamical system. 


• Each Turing machine (computer program) maps to a finite set 
of affine maps (2x2 matrix + translation) in the x-y plane. 


4 Aleksandr Andronov and Lev Pontrjagin. Systemes Grossiers. Dokl. Akad. 
Nauk., SSSR, 14, 247-251, 1937. 
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Mandelbrot Set is generated from a Dynamical System 

Define function f c (z ) = z 2 + c. c is a complex number. 



The Mandelbrot set is the set of all complex numbers c such that 
the orbit 0, f c ( 0), f c o f c (0), f c ° f c ° 4(0), ... is bounded. 


Toward A Mathematical Understanding of the Malware Problem 


Michael Stephen Fiske 






Understanding the Malware Problem Dynamical Systems Applied to Computer Programs Future Research Appendix 
ooooo oo*oooo oo ooooooooo 


cf) Maps each Turing Instruction to a Unique Affine Map 

Alphabet A = {#, a, b}. Machine states Q = { q , r, s}. 

Turing program tj. 


1 

# 

a 

b 

q 

(,r, a, +1) 

(h, b, +1) 

(q, b,- 1 ) 

r 

(«. b,~ 1) 

(r, a, +1) 

(r, b,+ 1) 

s 

(A, #,+l) 

(h, a,+ 1) 

(h, b,+ 1) 


= {r,a,+l) 4 fi(x,y) = (7x-49, iy + 33) 

V(r,#) = {q,b,- i) £(x,y) = ( 7 X + 16, 7y — 231) 
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Turing Instruction Execution A Affine Map Iteration 

v(h) = 0 t>(#) = 1 u ( a ) = 2 i'(b) = 3 u(q) = 4 u(r) = 5 v(s) = 6 
B = |Q| + |A| + 1 = 7 


(q,k,T) 4 ( £ v(T k+j+1 )B-i, BKs)+ 

J=-l j=o 


Before machine execution starts 



# 

# 

# 

# 

# 


After Instructior 

_LJ_ 

9 

v(q- 

#) = (r,a,+1) 


# 

# 

a 

# 

# 


After Instruction rj(r , 

JU_ 

r 

#) = 



# 

# 

a 

6 

# 



n 


9 


P0 = (8^,291) 


Pi = /i(Po) = ( 8 ^> 37 ^) 


P2 = /2(Pi) = (17^,29^) 
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Topological Conjugacy and Structural Stability 

• A topologically conjugacy h between two dynamical systems 
f,g means they have equivalent dynamics. 

• h maps halting configurations to fixed points in the plane. 

• A halting configuration represents the result of a computation 
after the computer program completes its computation. 

• f is structurally stable if all dynamical systems g that are 
close to f via some metric, then f and g are topologically 
conjugate. 

MAIN IDEA: If Turing machine M. is structurally stable, then 
SMALL CHANGES to the computer program At WILL NOT 
CHANGE WHAT M COMPUTES! 
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Can We Find Standard Computation That Is Stable? 


• A Universal Turing Machine is basically a compiler or 
interpreter (C, JAVA, Lisp, Python, ...)■ 


• In our paper, a Universal Turing machine (UTM) is provided 
and it is shown that this UTM is structurally unstable. 


• This means that given a computer program P there are other 
programs arbitrarily close that exhibit different dynamics. 


• This means some of the nearby computer programs do not 
perform the same computation as program P. 
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All Register Machine Compilers might be Unstable 


• These initial results suggest that all compilers for C, Python, 
etc. might be structurally unstable. 


• Math theory translates to computer programs executing on 
register machines are inherently susceptible to malware 
vulnerabilities. 


• Caveat: instability was only shown for two metrics and one 
UTM encoding. 
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Research Questions for Conventional Machines 


• Are there general mathematical conditions when a Turing 
machine (register machine) is structurally unstable? 


• Do useful metrics exist on the space of Turing machines 
(computer programs)? 


WITI: IF stable conditions exist, THEN WE CAN DESIGN 
robust digital computer programs with our know-how. 
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Research Direction for Unconventional Machines 

IF stable conditions DO NOT EXIST, THEN WE CAN 

• BUILD machines that simultaneously execute instructions 

• BUILD machines that can repair their instructions. 

WITI: The program purpose can be made stable. 

Computation is resistant to sabotage of instructions. 
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Active Element Machine 5 

All Elements compute simultaneously. 

Elements fire and send pulses along Connections. 

Connections specify the pulses sent between elements. 

An element E fires at time s if: 

the sum of the input pulses to E is greater than E's threshold 
AND E’s refractory period r has expired; 

that is, s > r + / where / is the most recent firing time of E. 

5 M.S. Fiske. The Active Element Machine. Proceedings of Computational 
Intelligence. Autonomous Systems. Volume 391. Springer, 2011, pp. 69-96. 
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Connections 

(connection (time 4) (from E) (to Y) (amp —2) (width 3) (delay 5) 
(connection (time 4) (from E) (to Z) (amp 4) (width 2) (delay 3) 

If element E fires at time 4, then 

A pulse of time width 3 and amplitude -2 reaches Y at time 9. 
A pulse of time width 2 and amplitude 4 reaches Z at time 7. 


-2 


Sent to Y 


2 

Sent to Z 
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Meta Command 

Keyword clock evaluates to the current time of the active element 
machine clock. 


(meta (name E) (window b e) (C (args clock)) ) 

If active element E fires at time s in window [b, e], 

where b < s < e, then command (C clock) executes at time s. 

If there is no window and if E fires at any time s, 
then (C s) executes at time s. 
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Searching for Complete Graphs 

A complete graph K n on n vertices: every vertex pair has one edge. 
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Ramsey Numbers 

Each edge of K n is colored red or blue. 




Ramsey number r(j, I) is the least integer n such that: 

There is at least one complete subgraph Kj with only red edges 
OR 

There is at least one complete subgraph K) with only blue edges. 
Determining r(m, m) is NP-hard. r(5,5) is unknown. 

«n>«S>«5> - 1 -OA.O 
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AEM Program Determines r(3,3) > 5 

Red edges: {1,2}, {2,3}, {3,4}, {4,5}, {1,5} 

Blue edges: {1,3}, {1,4}, {2,4}, {2,5}, {3,5} 

Triangles: {1, 2, 3}, {1. 2,4}, {1, 2, 5}, {1, 3, 4}, {1, 3, 5}, 

{1,4, 5}, {2, 3, 4}, {2, 3, 5}, {2,4, 5}, {3,4, 5} 

1. Red edge Element commands 

(element (time 0) (name R_12) (threshold 1) (refractory 1) (last -1)) 

(element (time 0) (name R_23) (threshold 1) (refractory 1) (last -1)) 

(element (time 0) (name R_34) (threshold 1) (refractory 1) (last -1)) 

(element (time 0) (name R_45) (threshold 1) (refractory 1) (last -1)) 

(element (time 0) (name R_15) (threshold 1) (refractory 1) (last -1)) 

< S > < 1 ► <!► 1 > 00,0 
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AEM Program Determines r(3,3) > 5 

2. Blue edge Element commands 


(element (time 0) (name B_13) (threshold 1) 
(element (time 0) (name B_14) (threshold 1) 
(element (time 0) (name B_24) (threshold 1) 
(element (time 0) (name B_25) (threshold 1) 
(element (time 0) (name B_35) (threshold 1) 


(refractory 1) 
(refractory 1) 
(refractory 1) 
(refractory 1) 
(refractory 1) 


(last -1)) 
(last -1)) 
(last -1)) 
(last -1)) 
(last -1)) 


3. F 

: i re R 

-jk 

if edge {_/. k} is red. 

4. F 

"ire B_jk if edge k} 

(fire 

(time 

0) 

(name 

R_12) 

(fire 

(time 0) (name 

B_13) 

(fire 

(time 

0) 

(name 

FL23) 

(fire 

(time 0) (name 

B_14) 

(fire 

(time 

0) 

(name 

R_34) 

(fire 

(time 0) (name 

B_24) 

(fire 

(time 

0) 

(name 

R_45) 

(fire 

(time 0) (name 

B_25) 

(fire 

(time 

0) 

(name 

R_15) 

(fire 

(time 0) (name 

B_35) 


Toward A Mathematical Understanding of the Malware Problem 


Michael Stephen Fiske 




Understanding the Malware Problem Dynamical Systems Applied to Computer Programs Future Research Appendix 

OOOOO OOOOOOO OO 0000000*0 


AEM Program Determines r(3,3) > 5 

5. For each edge {j. k}, 

(meta (name R-jk) (window 0 1) 

(connection (time 0) (from R_jk) (to R_jk) (amp 2) (width 1) (delay 1))) 
(meta (name B_jk) (window 0 1) 

(connection (time 0) (from B_jk) (to B_jk) (amp 2) (width 1) (delay 1))) 

6. For each k}, compute if blue triangle on vertices {/._/, k}. 
(connection (time 0) (from B_ij) (to BJjk) (amp 2) (width 1) (delay 1))) 
(connection (time 0) (from B_jk) (to BJjk) (amp 2) (width 1) (delay 1))) 
(connection (time 0) (from BJk) (to BJjk) (amp 2) (width 1) (delay 1))) 

7. For each k}, compute if red triangle on vertices {i,j, k}. 
(connection (time 0) (from RJj) (to RJjk) (amp 2) (width 1) (delay 1))) 
(connection (time 0) (from R_jk) (to RJjk) (amp 2) (width 1) (delay 1))) 
(connection (time 0) (from RJk) (to RJjk) (amp 2) (width 1) (delay 1))) 

8. For each vertex set {/,_/, /c}, create red and blue elements, 
(element (time 0) (name RJjk) (threshold 5) (refractory 1) (last -1)) 
(element (time 0) (name BJjk) (threshold 5) (refractory 1) (last -1)) 
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AEM Program Sabotage and Repair 


Michaels-MacBook-Air:AEM_K5_repair michael_fiske$ diff K5_l_red_triangle.aem K5_l_red_triangle_sabotage.aem 
64,65c64,66 

< (meta (name R_12) (window 0 1) 

< (connection (time 0) (from R_12) (to R_12) (amp 2) (width 1-dT) (delay 1))) 

> ;; SABOTAGE (meta (name R_12) 

> ;; (meta (name R_12) (window 0 1) 

> ;; (connection (time 0) (from R_12) (to R_12) (amp 2) (width 1-dT) (delay 1))) 



Michaels-MacBook-Air:AEM_K5_repair michael_fiske$ diff K5_l_red_triangle.aem repair_K5_l_red_triangle.aem 
64,65c94,96 

< (meta (name R_12) (window 0 1) 

< (connection (time 0) (from R_12) (to R_12) (amp 2) (width 1-dT) (delay 1))) 

> ;; SABOTAGE (meta (name R_12)) 

> ;; (meta (name R_12) (window 0 1) 

> ;; (connection (time 0) (from R_12) (to R_12) (amp 2) (width 1-dT) (delay 1))) 
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